1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

RAM Not Clearing - Malware Still Present

Discussion in 'Linux and Unix' started by hv55, Jun 15, 2018.

Thread Status:
Not open for further replies.
Advertisement
  1. hv55

    hv55 Thread Starter

    Joined:
    Jun 15, 2018
    Messages:
    29
    In this forum, i see quite a lot of questions about what to do when someone's system gets hacked or someone gets remote access from a trojan and how to get rid of that malware. But i didn't see anything about the RAM and malware.

    On my asus laptop, i don't think the RAM is fully clearing.

    Someone hacked onto my computer the other day when I was using my livedvd debian 9. I had heard previously that a script can be uploaded or some software settings can be modified so that the RAM does not fully clear. There is no hard drive in the computer including when they got malware on my computer the other day, so it is not on the hardrive.

    How do i know they got on and are still on? They open new tabs on their own - they open bookmark manager, and click on bookmarks, etc. They are on here.

    I fully shutdown the computer without any shortcuts; I do not hit the power key.

    So, if they modified the RAM so it does not fully clear, and the malware stays on, what do i need to do to the computer to get it back to "default" whereby the RAM fully clears on shutdown? I just want to get it back to its original RAM settings.

    Also, I am running the livedvds on a DVD-ROM drive - so nothing should be able to write to the dvds and they have never been played in any other dvd drive.


    asus laptop x555lab 64 bit debian 9 OS
    Thank you,
    Stephanie
     
    Last edited: Jun 15, 2018
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,283
    First Name:
    Derek
    What you are describing is an impossibility for malware to remain in RAM when computer is shut down and powered off.
    If you are using a Debian live cd then nothing can remain when you reboot
    This is much more likely to be a hardware issue, unless you have the DVD set to be writable and some malware has written to the cd/dvd and then is loading each time you use the dvd

    I suppose it is just possible that the bios or boot loader has been affected

    moved to Linux forum
     
  3. Johnny b

    Johnny b

    Joined:
    Nov 6, 2016
    Messages:
    5,974
    First Name:
    John
    I've not used Debian on a Live DVD, but it's probably similar to the Puppy Linux I use in concept.
    dvk01 has a point.
    If you are saving your sessions when you shut down your computer, it is possible to be writing malicious script to that DVD.

    Because Live CD/DVD s need to be updated from time to time, I keep mine writable but unmount after every boot so nothing can be unknowingly written to disk during that session or on shut down.
    I do hard shutdowns all the time except for updates.

    But once the DVD is infected, it's probably easier to simply burn a fresh Live CD/DVD from install media. And then you'd also be assured it's a clean install.

    I also run with out a hard drive and like the concept.
     
  4. hv55

    hv55 Thread Starter

    Joined:
    Jun 15, 2018
    Messages:
    29
    thanks. first, i'm using the dvd in a dvd-rom - read only so it should be impossible for malware to write to the dvd, yes?

    in reading online about the RAM & malware, i kept reading about "programs" being uploaded that affected the RAM clearing, or at least in regards to the RAM. but with no hard drive, where would the programs be permanently installed (permanent unless removed)?

    maybe the bios or boot loader 'has' been affected. what would i need to do to the bios or boot loader to get it back to default? i see bios has the 'reset to default settings' options.... if yes, what about the boot loader? where is the boot loader?

    thanks again
     
  5. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,283
    First Name:
    Derek
    This sounds more like a hardware issue with a sticky key or shortcut key combinations that is opening bookmarks, or just possibly a rogue extension in which ever browser you are using
    If the dvd is read only and not writable at all, then unless it is hardware and a sticky key, it would mean that the dvd was compromised somehow on burning.
    best advice is download & burn a new copy of debian from a known safe source & use that.
    if the problem still exists, then somebody can consider looking deeper. But the likelihood of you being hacked and only your bookmarks affected is so remote that in all reality it can be discounted.

    When a computer is powered off, ram is cleared and there are no known ways to keep any data in ram once the power has been turned off.

    There are a couple of theoretical exploits where RAM can be read after power off, but that needs physical access to the ram chips and specialised cooling equipment. But that is only workable for a few seconds after power off.

    Note: "ram can be read", and theoretically some information retrieved. Not acted upon, Not written, to not able to store anything & make it load when booted.
     
    Last edited: Jun 18, 2018
  6. hv55

    hv55 Thread Starter

    Joined:
    Jun 15, 2018
    Messages:
    29
    thanks. the dvd-player is ROM/ read only, not the disk.

    if the boot loader or the bios were affected, could that prevent the RAM from completely clearing? and yes, i do see what you said above about RAM clearing..

    1- it's not just bookmarks opening, other tabs that have nothing to do with bookmarks, someone switching the tab being used/ being viewed. still happening...

    2- when i shut down i get the following error message:
    FAILED: umounting/ lib/live/mount/medium
     
  7. tecknurd

    tecknurd

    Joined:
    May 28, 2018
    Messages:
    154
    The RAM is volatile which means without any energy, the data is lost. Using another OS can rule out any cases that the BIOS/UEFI is affected by a virus. If you really want to make sure the RAM is cleared, disconnect the battery and AC from the computer after it's powered down.

    Depending on the LIVE Linux distribution that you are using. You have an option to save data to disk. Also, you can save a session. Saving a session records the state of the desktop and any programs that are loaded.

    If you think someone hacked, pull the plug to the Internet. If the ghostly actions still happen after you disconnect from the Internet, then the mouse cursor might be jumping around that is caused by bad data packet sync from the computer mouse to your computer or you may have a tainted ISO. Download again from another server. Check the ISO with MD5 and/or SHA1 signature file. The disc could have errors during the burn. I suggest burning at the slowest write speed.

    This is a normal message for LIVE Linux distributions loaded from a CD or DVD. There is nothing to be alarmed by this message. If you don't think so, go to that path. It should list the contents of the disc.
     
    Johnny b likes this.
  8. hv55

    hv55 Thread Starter

    Joined:
    Jun 15, 2018
    Messages:
    29
    thanks. i am using debian 9 - how would i be able to save a session? if someone got on my computer, could they set the bios or boot loader or something else to "automatically" save the session, thereby keeping potential malware? on the other hand, i am using a dvd-ROM - the dvd player is "read only".

    Can you explain how this would work? thx.
     
  9. Johnny b

    Johnny b

    Joined:
    Nov 6, 2016
    Messages:
    5,974
    First Name:
    John
    As stated before. because you are using a read only DVD player, nothing can be written to your DVD, thus nothing can be saved to that DVD.

    Could you have malware saved to the firmware of your hardware? Possible but unlikely.
    Could there be an intrusion of your router and DNS settings changed? Also possible.

    Start with the easy diagnosis first.
    Convenient with your current hardware configuration, would be a version of Puppy Linux burned to a DVD as a Live OS, just as you seem to have done with Debian.
    If the problem persists with Puppy, your problem is likely hardware oriented.

    imo, a good Puppy distro is Xenialpup 7.5
    You can download it here:
    http://distro.ibiblio.org/puppylinux/puppy-xenial/64/
     
  10. hv55

    hv55 Thread Starter

    Joined:
    Jun 15, 2018
    Messages:
    29
    someone burned a copy of the puppy dvd - i'll try it and see. thx.
     
  11. hv55

    hv55 Thread Starter

    Joined:
    Jun 15, 2018
    Messages:
    29
    ok, tried it - exact same problem. so i am back on the deb 9. i noticed though that they weren't on right away when i switched os's.

    right or wrong, this is what i think may be happening. simply, i think they are hacking the os. i was told by someone to make sure that my deb9 os is NOT defaulting to admin #. to see i had to type in 'sudo -s' and see if it goes straight to #.... and it did. when i first turn on the livedvd, what can i do to make the os NOT default to admin. i was told that it takes longer to much longer for someone to get on if the os is not set to admin. even if it is malware in the firmware, i would still like to set this up. right now, this is the most important thing i really want to do. any help is appreciated.

    i also see in account settings, it says "automatic login". i imagine upon loading the deb9 dvd, i should disable that.
     
  12. managed

    managed Trusted Advisor Spam Fighter

    Joined:
    May 24, 2003
    Messages:
    12,977
    First Name:
    Allan
    See if the same problem occurs when you are not connected to the internet and using a clean OS you just downloaded and burned to CD/DVD. If it happens then it's a hardware problem.
     
  13. plodr

    plodr

    Joined:
    Jun 27, 2014
    Messages:
    19,088
    First Name:
    Liz
    Are you behind a router? If so, someone would have to hack your modem and router to get a connection and know the IP of your computer BEFORE he/she could proceed to hack the computer.

    As soon as the live DVD or USB stick is removed, all the malware is gone.

    So what would be the point of hacking into a computer behind a hardware firewall on an OS that loads into RAM? Truthfully, it would be a waste of time for a hacker because nothing is gained.
     
    Johnny b likes this.
  14. hv55

    hv55 Thread Starter

    Joined:
    Jun 15, 2018
    Messages:
    29
    'managed': when offline, no problems. thanks
    'plodr': yes, to an extent. my understanding is that once they have hacked the modem and router, and know the IP, in the future when trying to hack the OS, they would be able to breeze through this part and go right to hacking the OS. On the other hand, I know this sociopath wants to get on my computer to see where I apply for jobs, etc, so she will spend the time having her son do it, even though once they hack the OS, and I shut off, they would have to start all over.
    QUESTION: "when i shut off" - is it true that by me just unplugging the ethernet cord from the computer - that if they are trying to hack the OS, that they have to start over once I pull the ethernet cord (while i am online)? I realize if they are ALREADY on, it doesn't matter. this is important for me to know since I am under the impression that once i pull that ethernet cord, they are back to square zero as far as working on the OS (not modem, etc).
     
  15. tecknurd

    tecknurd

    Joined:
    May 28, 2018
    Messages:
    154
    When using consumer network equipment, the router is the firewall. The modem doesn't have a firewall. If you haven't changed the administrator password of the router then this problem is your fault. Also updating the firmware of the router helps decrease vulnerabilities. Turn off the router will erase whatever backdoor the hacker has placed. If your ISP uses dynamic IP address, turning off the modem and router before going to bed and turn these devices on when you wake up, the ISP should give you a different IP address. Unfortunately, next person that gets IP address that you were using will have the same problem you are experiencing. Hopefully, the ISP is monitoring the traffic and stops the hacker. You may want to notify the ISP about the hacking problem.

    There is a possibility that one of your computers is compromised and the hacker is using for the attacks. Disconnect or better turn off the modem and use Wireshark. Use Wireshark to monitor any information that is phoning home outside your network.

    The only way to get hacked if you have visited a malicious website. Another possibility is you download a program and it installs any extra program without you knowing. These days do a custom install to be sure nothing extra is installed but the program that you downloaded. It does help to manually scan the file you downloaded for viruses before installing and running them.

    In your router settings, you can use OpenDNS servers instead of what your ISP gives you. OpenDNS will protect any computers on your network from visiting malicious websites. It is free, so keep in mind it won't be perfect.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1211637

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice